Three members of a group that infected hundreds of websites from around the world with payment card stealing malware were arrested in Indonesia, the International Criminal Police Organisation (INTERPOL) has announced.

The arrests are the result of a larger multi-national law enforcement investigation that continues in other countries from the Southeast Asia region.

The three suspects, aged 23, 27, and 35, are accused of using the payment card details they stole to purchase electronic and luxury items and then selling them for a profit. They are facing prison sentences of up to 10 years.

INTERPOL refers to the malware used by the group as a JavaScript sniffer, but this is more commonly known in the security industry as a web skimmer. It consists of a malicious piece of JavaScript code that is inserted into a website -- typically in its checkout pages -- and is designed to steal the personal and payment information entered by customers.

The most notorious of these web skimmers is called Magecart and has been used in a large number of attacks over the past few years, including against very high-profile brands.

Russian cyber security firm Group-IB, who worked with INTERPOL and the Indonesian Police on this investigation, tracks the sniffer used as GetBilling, but according to another company called Sanguine Security, it is part of the Magecart family.

"Sanguine Security has been tracking the activity of this group for several years and has identified not 12 but 571 hacks by the same individuals," the company said in a blog post following the arrests announcement.

"These hacks could be attributed because of an odd message that was left in all of the skimming code: 'Success gan !' [which] translates to 'Success bro' in Indonesian and has been present for years on all of their skimming infrastructure."

Operation Night Fury investigation is ongoing

The three suspects were actually apprehended in December, but their arrest was not initially made public. That might be because of the larger law-enforcement effort dubbed Operation Night Fury that's underway and is looking at additional attacks in the region.

In fact, according to Sanguine, new attacks with the same code have been observed since December and at least 27 online stores are currently infected. This means other members of the group could still be at large.

Group-IB, which has been tracking GetBilling attacks since 2018, has identified almost 200 infected websites in Indonesia, Australia, Europe, the United States, South America and other regions.

In addition to physical goods, the group was also using stolen credit cards to pay for hosting services and new domains that they used in their attacks. Some of that infrastructure was hosted in Indonesia, but they always used VPN services to interact with it.

"According to Group-IB's annual 2019 threat report, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year," the company said.

"The size of the carding market, in turn, grew by 33 per cent and amounted to USD 879.7 million. The sale of CVV data is also on rise today, having increased by 19 per cent in the corresponding period, and one of the key reasons behind this trend could be JavaScript sniffers."

The number of web skimming attacks has been growing over the past two years, with security firms detecting new such breaches every hour.

Since this activity is so lucrative for cyber criminals, new skimmers have entered the underground market and have become commoditised, so these attacks are unlikely to stop anytime soon.

Arrested group a small part of Magecart

To put things in perspective, the Indonesian group was only responsible for one per cent of all Magecart incidents detected since 2017 by Sanguine. The company estimates that there are at least 40 to 50 sophisticated individuals involved in web skimming activity.

E-commerce site owners and companies running shopping carts on their websites should regularly scan their websites for infections and keep their content management software and plug-ins up to date. Administrative credentials should also be strong and well protected.

Web application firewalls can be used to detect and block intrusion attempts, but there are also other technologies like Content Security Policy (CSP) and Subresource Integrity (SRI) that can be used to restrict loaded scripts and prevent potential infections from impacting customers.

Related Whitepapers

Copyright 2020 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.